CVE-2024-11638: Gtbabel < 6.6.9 - Unauthenticated Admin Account Takeover

Description

The Gtbabel WordPress plugin before 6.6.9 does not ensure that the URL to perform code analysis upon belongs to the blog which could allow unauthenticated attackers to retrieve a logged in user (such as admin) cookies by making them open a crafted URL as the request made to analysed the URL contains such cookies.

Classification

CVE ID: CVE-2024-11638

Problem Types

CWE-269 Improper Privilege Management

Affected Products

Vendor: Unknown

Product: Gtbabel

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 8.61% (scored less or equal to compared to others)

EPSS Date: 2025-04-08 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2024-11638
https://wpscan.com/vulnerability/2f20336f-e12e-4b09-bcaf-45f7249f6495/

Timeline

2025-03-10 06:40:12 UTC
CVE

Gtbabel < 6.6.9 - Unauthenticated Admin Account Takeover